Slashdot Mirror
P2P Programs on K-12 Networks?
deque_alpha asks: "I am a system administrator for a small K-12 public school district. I am taking over after a bunch of goofballs have really messed things up, the technology department is in utter disarray. I have near infinite problems, but the hairiest are with people sucking up what little bandwidth we have, introducing virii, downloading warez, and generally causing problems with P2P file sharing programs. I don't generally have a problem with these programs, but they are not an appropriate use of the limited bandwidth of a K-12 institution as they provide little in the way of an educational resource, not to mention the legal liability they potentially introduce. The rub lies in that these people are teachers, and I have virtually no policy to back me up if I come down on them, but shutting them down is neccesary to maintain harmony (and legality) on the network. I don't have the authority to pen new policies myself, and my supervisor cannot to be counted on to do it either. Have any of you been in this position before? How would you approach solving it without totally alienating your users? How do you broach the subject of introducing new policies with supervisors?"
This is obviously a problem that lies in every school district and also in college. Just take charge and let the teachers know (in a non-technical and informative way) the reasons that you want to block these specific P2P networks from being accessed. If you set a standard, people will conform
Set up a web proxy. Firewall off everything else. Only allow port 80 traffic from workstations. It will kill off all the bandwidth eating crap, but still allow use of the internet for school.
Michael Loves Me!
I am not a big user of the P2P programs, but my first guess would be to figure out which ports are being used by common P2P programs, and then throttle them down to 0.5kbps. The trick is, that if your users are doing something illegal, it's really tough for them to complain about it running slowly. :^)
As for how to throttle them down, I'm sure it's possible with a properly configured linux server/firewall along with some kind of proxy program.
--Robert
Simple,
You just put in a new firewall that doesn't support such things. Technical limitation, wink wink.
In other words, lock them behind an http only proxy, or whatever other proxies they really need. You aren't a general use ISP.
If they complain, tell them it's impossible to change, due to some complex technical matter. Just mention TCP header length and TTL and their eyes will glaze over as they nod slowly.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
You've got problems with p2p users and virus idiots? Just block all the relevant p2p ports and blame it on a computer virus. Then sit back and watch the two groups destroy each other.
My favorite method at this time is to just shut off whatever I need to shut off. Limit access where it needs to be limited.
Then when the questions start flying I just shrug and try to look dumb. "I don't know what happened to your ability to download porn at work."
They wont know what's going on and most people despite all reason believe that computers act in a random and hurtful manner of their own volition.
.
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
Hold a meeting with your staff, and explain to them the dangers, liabilities and your other various points. Explain it so THEY will understand what you are talking about, without talking DOWN to them. If they are responsible adults, they will understand and should comply somewhat if not entirely.
I always believe that it is easiest to reason with people before going behind their backs with rules, policies, etc. Once you have an understanding established, then apply some rules and policies, with the backing of the staff.
Beyond that if they won't work with you, then block the common file sharing ports or throttle the bandwidth to their workstations! That will always work!
I find that most often I end up learning from necessity, rather than for enjoyment.
When it comes to implementing technology policy in any organization unfortunately the only way to be successful is to have 100% support from upper mgmt (or in your case administration). You can always regulate on your own and act like you have the authority, but sooner or later you'll piss off the wrong person and that person will just so happen to be best buds with your boss. Good luck.
It truly amazes me how many times I've been hired or contracted to do something but not had the authority to follow through.
Find out if your town or county has any kind of acceptable use policy. They probably do. Or, if your school receives state funding, perhaps there is an acceptable use policy at the state level. In short, follow the money and then check for policies.
I'm sure you'll find that what these teachers are doing is not acceptable. Put up a firewall, do what you need to do so that P2P software doesn't work, and when they come and complain point to the policy that defines acceptable use.
Whatever you do, enforce across the board! Don't just block the few teachers that are the problem, block the whole network. That's the best way to stay out of trouble.
My Karma was at 49, then they switched to words. All that work for nothing!
Well, if you can't pen policy, you can create paranoia in order to create harmony. In you case, big brother is watching. You might not be able tell people to stop, but you can pen a friendly letter explaining the legalities, liabilities, oh, and that you have the technology to log and track all internet traffic going on the network.
A little paranoia goes a long way. And as an added benfit those you don't have to stick up for anything because you're not changing policy at all. You are "executing the due diligence required by law".
i'm not aware of any pedestrians being run over by a computer being used by some kid.
With a linux firewall this is easy to do with qos and such.
They can still use p2p systems, you just limit the bandwidth to levels not harming genuine educational use. This shouldn't be hard to sell to your supervisors.
Jeroen
Secure messaging: http://quickmsg.vreeken.net/
I am from the RIAAA [as far as you know] and am hereby officially notifying you, as an administrator or electronic services at your institution, to cease and desist illegal activity or face civil and criminal prosecution.
;)
When they complain, just tell them you were given a cease and desist notice
Let's see... you have no policy, you can't get one, you can't just cut people off....
You could make the P2P stuff run so slow as to be useless... or you could send your own trojans that will erase the drives of the problem users...or you could send them porn, and get them fired...(oh, and don't get caught doing any of the above.)
Or, perhaps you're just screwed because you're trying to enforce rules where you have no authority to do so. I'm not neccessarily saying you shouldn't have the authority... just that you clearly don't, and any attempt to enforce your idea of policy is bound to cause you trouble. You time is probably best spent figuring out how to get a policy.
If you block the P2P software and make it the official policy that it should not be used, document that thoroughly. Make sure that it's expressly for the purpose of keeping unlicensed software out of your system. Then, insist that everyone show their licenses for their software. Put up big posters explaining that you are doing this because it's important to comply with the law. Become the biggest pain in the butt to everyone who opposes you.
Then, just before you think they've all had enough of you and can fire you, call the BSA on yourself. When that phone call from the BSA comes, you can point at all your policies and say that all along you were just trying to avoid that exact situation. Suddenly all the babies who were crying because you took away their Kazaa will be viewed as the real problem in the organization. You will have achieved Total Management Support (TM).
If tits were wings it'd be flying around.
You're in a school, this is would be one of the BEST environment to educate the people about all of these issues. You'll say that some people won't give a rat, but that's like in society in general, if people don't give a rat and anarchy reigns, stronger measure needs to be taken.
:) ) , and it put the user in a situation where he would have to go look his manager to ask to waste time leeching (which he will obviously won't do :) ) and I get no heat. Dunno up to what it could extend since where I work most people are reasonable and mature, and school isn't the same environment, but then again, it's a suggestion and I'm sure a lot of people here will have many more.
I might have gotten something wrong but if you're managing the network, usually it falls within your responsibilities to make sure to implement EVERYTHING (including some policy, or at least submitting them) for the proper operation of the network, which includes both load balancing, security and legality (to a certain extent, at least proving that you thought about it and implemented it to a certain level won't hurt).
Now if we tell you to cut down trees for a paper company and we hand you a kitchen knife, you'll say "you're crazy", well same goes with being an admin, if you're ADMIN and you can't do zit, it's a big issue. If it was a mess before you arrived, probably that the organization was a mess in the first place, I'd document everything, put up a structure of the network and who's responsible for what, limit the number of people that have "power" over the administration because as we all know, the more admins on a box, the more potential problems. So you have to do your part, be professionnal, use people's experience and be opened to suggestion, but at the same time, document every problem, and don't always go to your supervisor saying all of the problems, he's probably already familiar with them, for every problem, bring in a solution or two with arguments and documented facts (and normally supervisors like having a choice and feel like they did the work so... use that to your advantage).
As for the P2P application, I've fixed the problem at work, I've putted QoS and 1-2K/s on the total bandwidth, it's transparent "it's still working so I didn't do anything" and when those dead weights would come and see me "well probably its not optimized for our network structure and I have enough work to do, if this is a priority, go see your manager or big boss". It's politically correct since you didn't block the port and the user has no idea on what's really going on (unless reading slashdot
Good luck.
--- Metamoderating abusive downgraders since my 300th post.
Use a FreeBSD gateway machine with DUMMYNET. FreeBSD can be configured so that it: a) doesn't have to replace the existing firewall; and b) is invisible so it doesn't show up on traceroutes. This is so that clueful users are not tipped off in a way that lets them complain like pornhounds on a free NNTP service. DUMMYNET will let you set up bandwidth policies based on (groups of) IPs, ports, and more. Client subnets can have full bandwidth on port 80, but the gateway can shut them down to 28.8 on the P2P ports. The possibilities are really open in a situation like this, and any junk computer can be used.
When I was a kid, we only had one Darth.
exactly what we did...block ports and make them send you a note detailing why they want a specific port open. Most people will realize how stupid what they're asking is if they have to sit down and write it out. errr please open these ports so I can run my p2p software to pirate music using school resources...umm maybe I better not send that one :) Use SECURITY as the overall kicker, in order to maintain the security and integrity of the network it is essential the Admin knows whats going on. BTW if you do get a moron asking for P2P ports forward it to the rest of the staff for a good laugh.
:)
Follow the examples of the Bastard Operator from Hell and you cannot go wrong
errr....umm...*whooosh* *whoosh* Is this thing on ?
First thing to do is ask them if they were happy with the level of support they had before. Since you are claiming that some goofballs messed things up, it's best to start with the goofballs and try to define what they did and didn't do right. I wouldn't expect most K-12 institutions to have a good network security policy in place.
In order to get one defined, you need to start talking to administrators. Find out which services they desire to provide and which they don't. Point out that most security and network use policies these days start by defining what you are allowed to do and blocking the rest of the traffic. Put out an request to the staff that they give you a list of applications that they use for purposes of education and then get a group together to review that list. If something strikes you as questionable, ask the person to justify it.
You'll also, more than likely, want to get a list put together of officially supported software and a procedure for getting a piece of software onto the officially supported list. This keeps people from coming to you and saying "I can't download files with Morpheus" because you can just say "Is it on this list? No? Then not my problem." Part of the process of getting something on that list might be a written justification of why it should be there, and for comercial software proof of license.
You don't want to be the only one makeing decisions. You should get a committee together. You'll want an administrator and a staff member on the committee. Decisions about what will and will not be supported will be made by the committee. You need these people because they understand the classroom, that's not your job.
If it comes to it, you might want to take a look at your job description. Figure out what parts of your job you can do, and which parts will need a more defined policy to enable you to do your job properly. This is important -- if your job description says "support educational activities requireing network access and use of the internet," whacking traffic that doesn't fall into those categories is clearly a part of your job as it increases bandwidth availability for educational purposes. When somebody complains, you need something you can point to for the purpose of defending your actions.
Start at the top, schedule some meetings with administrators and express your concerns to them. Most school administrators are reasonable people and when you explain that these things are necessary for a smooth running system they'll understand. Also, most school administrators are scared sh*tless of the words "potential lawsuit", don't be afraid to use it.
This is exactly the kind of mentality that continues to harm the IT Industry workers more than it helps. Depending on the lack of education of our user bases to provide a cover for our collective bad attitudes, grudges, and lies is no answer.
Explaining these things reasonably to users without making them feel like your hating on them is perhaps a better solution. Tell them it's illegal, sometimes they just don't know. If they don't care, as has been pointed out prior to my posting they have no basis to argue with you if/when you block the ports. But tell them it's happening before you do it, or right after you do.
If somebody above you tells you to open the ports or allow the illegal activities to continue, explain to them what kind of ethical, not to mention legal issues they are bringing onto you.
I have at previous jobs had my employers sign written up and sometimes notarized documents saying that it was their decision and their action allowing the illegal activities to continue. (After I said no they got somebody else to do it against my recommendation.)
And one question: Do you like or need this job so badly that you can't explain to them your points of view without fear of losing it?
--- "Remember, there's a difference between bowing down and bending over." -Frank Zappa
This is mostly about how to bring this topic to the attention of your supervisors, since if your users are already saying there's no official policy against using p2p apps, they'll likely to just tell you to get bent on further discussion.
Over the past year or so, there have been plenty of universities that have made decisions on P2P apps, going in both directions. You can use some of these instituions as examples of why you need to police this kind of traffic. Bring up the same reasons that these universities did, and that you brought up in your question (mainly legal protection and consumption of resources).
Here are a few examples:
There are also articles on other sites that list some of the universites that have banned Napster. Here's one article: http://www.ecommercetimes.com/perl/story/4172.html . They mention the following universities: Kent State, Rice, Seton Hall and Villanova. I'm sure there are others.
You can argue that if these major universities with plenty of money can't handle this traffic, how is your small public school district supposed to handle it? Hopefully, the money argument will help you out.
One final thing you can do (and this is fighting dirty), is point out how much pr0n is out there on p2p apps. That should get someone's attention.
If all you have are silver bullets, everything looks like a werewolf.
taken from this article
Second, administrators that attempted to block the AIM service by blocking the default port of TCP/20379 were in for a shock. The AIM client/server model is extremely versatile and doesn't pay any attention to WKS (Well Known Services); the login server allows connections from every TCP port under the sun, including the ports that are likely permitted for business reasons: TCP/21 (ftp), TCP/80 (http), and TCP/443 (https). While we would never do something nasty like run nmap against login.oscar.aol.com, we think you'd be surprised if you knew just how many AIM-open ports there are.
AIM also runs over proxy; and the client has an "auto-configure" button that makes it really easy for Nancy in Human Resources to bypass your perimeter security. In a nutshell, AIM's a slippery little devil and just about impossible to block unless you're using a perimeter device with content inspection capabilities. We can expect more user toys to start exhibiting these perimeter-security-bypassing traits, which means that you will not know what applications are actually in use on the network layer, since the port number will become meaningless.
Remember when the RIAA did their experiment with those kids downloading a ton of music before the Grammys, well those same kids said they got most of their content with AIM. Shutting down everything except HTTP/SMTP/POP may not even cut it nowadays
Frankly, anyone who says that you should be scretly throttling the P2P ports is giving you bad advice. You are paid to give a service to the school - which is to provide IT services.
Part of that, as you have capably done, is identifying areas that need improvement or fixing (such as the P2P problem you mentioned). Your position doesn't entitle you to be judge jury and executioner though!
If illegal downloads are a problem, then you need to talk to the head of the school. You need to explain the legal and financial risk of allowing these downloads to continue. You need to highlight the the financial and bandwidth cost that the downloads are incurring etc etc. If the head of the school says, 'Yes, we agree. Do something to fix it' Well you just got your policy and you have carte blanche to fix it - ie block ports or whatever.
If the head of the school says, 'No, I don't want you to do anything'. Then don't. It's not your problem anymore. The head of the school has just accepted responsibility for any related issues that will occur from this continued use of P2P.
You shouldn't be doing underhand sneaky tech tricks to get the results you want on a problem that is more political in nature than technical. Doing so will mean you get out of your depth and fired.
What is it about systems administration that makes people all high and mighty all of a sudden.
There are reasons that this administrator can't arbitrarily set policies or change things according to his own whim. Now, if his job was to set up initial access to the internet, perhaps it would of been more appropriate (but not completely) in so far as a exercising certain level of discretion in how the connection to the internet is structured (proxies/firewalls/etc/).
However, the system is in a steady state, and this administrator has no basis to change it. Its (in all likelyhood) not this administrator's job to manage legal liability or even determine if p2p applications are an appropriate use.
Just as teachers can't change their curriculms as they see fit, without some oversight by the administration - administrator's have no right to make these kinds of decisions based on "what they feel is best."
The administrator however is completely within the realm of what is right and proper to make an observation, (p2p is consuming all our resources), and share it with those people that are in a position to change policy. If you really feel p2p is this horrible, find some users who are affected by it (complain they can't use or their use is substantially affected by p2p traffic.) Bottom line is, if upper management doesn't care, you shouldn't either. Run the network with a hands off approach, much like slashdot does with its comments section. If there are technical problems fix them, if there are ethical problems save the decision making to the people whose responsibility it is to make these decisions.
Perhaps you can do something inbetween: start downgrading the performance of said ports, depending on length of connection. Short connections on a p2p port go through, while longer transfers start getting slower and slower because you're dropping every nth packet.
So instead of making it impossible, illegal, or whatever, just make p2p really inconvenient. If everything else works fine, the culprits can't really complain -- in fact, this will likely make everything else faster.
As Manager of Technology for a K-12 school division, I can tell you how we do it. First of all, your system should have an Acceptable Use Policy (AUP). Students and parents should receive a copy of it each year during registration. Ours is included in the Parent/Student Handbook. All students who use the Internet must have a signed form from their parents granting privileges. Ours includes language that states that Internet access is for educational use only! Even though it isn't strictly enforced (we do allow entertainment sites for example), that language is there to back us up on content and P2P decisions.
Since students and teachers use the same network and computers, all are subject to the same policies and filters. We transparent proxy all requests to port 80 and 554 through iPrisms which filter and then pass the request on to a Squid proxy that generally runs at about a 40% hit ratio. All other Internet traffic passes through our Cisco firewall which performs NAT based on an access list. That access list denies NAT for all the popular instant messaging and P2P applications. Since all computer addresses are private, no NAT means no access. Instant messaging is blocked after an incident where a bomb threat came in that was untraceable according to AOL. P2P filtering is obvious due to copyright violations and bandwidth usage. It is interesting to watch the hits on our access lists from P2P apps that are denied. Kazaa seems to be the most popular, we block several million Kazaa packets each week.
That's how we do it, if you have any questions, let me know.
Jason
"FORMAT C:" - Kills bugs dead!
Since you're going to be taking charge, eliminate the support program of preference for more than 99% of viruses.
Rather than just blocking ports, put up an FTP server as well, and hand out forms asking people what they want the school to make available on them. That way, they have to write it down and put their names to it. Explain that people making multiple downloads of the same thing was costing the school a fortune. Redirect any web or FTP request for a file ending EXE COM ZIP RAR ZOO BAT TGZ TAR.GZ RPM ISO MP3 etc to the FTP server, so if you have it, they get it and if you don't, they have to ask (put a form for that in Squid's file-not-found page).
Actively scan the Squid logs for porn, and if you're getting reliable requests for same from a specific user or machine, print out a list, walk down and ask them if they knew that their class was downloading pornography, and could they please stop because the principal is very busy and doesn't want to get involved. Log these incidents and CC the log to the principal's office regularly. If you don't, and someone else does the busting, your ass is on the line.
Just do it, fait accompli, and when the complaints start rolling in, log them, hand out a form, and if they refuse the form ask them why they want to send the school broke. Instantly, in writing, and CC it to the principal.
You're in the right. Act like it. Otherwise that job's not worth having for less than USD$100k a year.
Got time? Spend some of it coding or testing
Once upon a time, social engineering was a valuable part of a hacker's skillset. I suggest buying (and reading) a copy of Dale Carnegie's "How to Win Friends and Influence People" -- or just going directly to the teachers. Tell them you're the new guy working on the networks and you're trying to analyze and optimize and [insert other techincal sounding word here] the network. Ask them if you can schedule 5 minutes of their time, say next Thursday just before lunch? Explain the bandwidth problem, tell them that programs such as Kazaa and Back Orifice are not allowed on the school network. You can even type up a list of what's inappropriate yourself (and put a graphic border around it) and title it "Official District Network Acceptable Use Policy." Explain that you've been given the job to set up a firewall and set up bandwidth caps to prevent viruses and potential access to porn and pirated MP3s. Express your sympathy for their inconvenience (at this point they will admit it is hardly any inconvenience at all to have to wait to get home and download porn), and ask if there is anything you can do to help them out. You can show them a couple cool sites, teach them to defrag, dust out the chalkboard erasers, and leave an apple on their desk. Let them know that all traffic is being logged, and that your superviser receives a weekly summary, so they shouldn't feel any need to narc on their fellow teachers. Tell them if they have any questions, don't hesitate to call you or your superviser.
I-Gear has gone way downhill over the past couple of years and has driven off many school systems including mine. Their Linux version never ran properly on a multi-processor server. With no support for load-balancing and sharing of user accounts, that was a killer for a large system. If that wasn't bad enough, their support really went in the crapper when Symantec bought them out. I used to be able to talk to the programmers directly when we had a problem. Now, the support people don't have a clue about Linux or Solaris. Their DDR and auto-lock features are excellent, but the company has spoiled us on their product for good now.
Jason
"FORMAT C:" - Kills bugs dead!
Well I can speak from experience that becoming a teacher is no easy task. My wife was an "education major" as you like to call it, and the list of classes she had to take was quite impressive. She was taking classes on foreign cultures, philosophy, mid-to-high level math, literature, environmental studies, child development, etc... My classload of 6 CS courses was weak compared to her schedule. And that's just to get the BA degree.
Then it's off to at least another year to get the credential (though since we live in California it's currently not required, but for the sake of the argument, go with me...) That program involves supervised and unsupervised time in a classroom, preparing and presenting lessons, and dealing with whatever age-level class you're in while trying to teach children who, for the most part, just want to go out and play. I've known several people who went through the entire program only to wash out in the classroom. Imagine devoting years of your life to an unpopular, low-paid career only to find out you can't cut it. People become teachers because they want to. People become IT drones because of the pay.
How good are you at keeping the attention of a room full of 1st or 2nd grade kids? If you're like most readers here you're probably working in an office somewhere and dealing with people who, for the most part, know how to do their jobs at least minimally. You can communicate with them on the same level. And you spend most of your time in an 8-foot-square cubical interacting with a machine that will do whatever you tell it to do (unless you're running WinME). Not exactly a rough existence, eh? Now imagine yourself in a room with 30 PCs, each with a different OS/CPU/GUI, and someone has broken into each machine and is installing and removing programs and drivers at random while you're trying to share a printer to each machine. You can't just yank the network and power cords. Wanna come to work today?
I will admit that "liberal studies" is kind of a fall-back major, but becoming and being a teacher in this country is not easy. I come to work every day and have no fear that a co-worker will pull out a gun and shoot me. I get paid well for the work that I do, and I don't consider it to be difficult work. But in the end, the work I do is inconsequential compared to what teachers do. Sure, there are some teachers who just don't care anymore, but wouldn't you get burned out if you can droves of people shooting down your profession after you've given years of yourself to it?
When I introduce you to my wife, go ahead and speak very slowly and in short little words. I'll be smiling as she plows your little brain into the ground.
Your best bet is probably to just act without concent from those above you. Most of the time asking clueless authority figures to take a stance on specific policy is a bad idea. If you tell someone "P2P filesharing is bad" they will extend it to absurd levels of stupidity. You are the administrator, do your job as such.
A good idea is something like dummynet between your internal network and your router. You can throttle bandwidth or add queues (simulates lag) to specific services over your network according to IP addresses or service ports. You can force an even bandwidth distribution between all the hosts connecting through port 80 but throttle back the speed of anything coming through other ports. You don'y necessarily have to block file sharing requests but you can keep them from dominating your network. Once you remove the incentive for people to use P2P services on the school's network they will knock it off.
I'm a loner Dottie, a Rebel.
I've dealt with a very similar problem. I work at a university, and we have a very fat pipe to both the internet and I2. The specific problem is students living in the dorms using all the bandwith with P2P type traffic.
Not wanting to play 'police', we didn't stop them from using P2P, we just used our firewall to limit the total use of specific protocols and ports to 5 percent of the total traffic.
It has been a very effective solution.
Obviously, you've never worked in a school enviroment before. I'm guessing you're corporate, but a much smaller level (even Fortune 500's have more politics than your work). Small but growing regional business? Anyways, let me get back on topic.
I briefly worked on a smallscale rollout project for a major (top 50 in population) city school system. There were ongoing political issues at the the superintendent level, unrelated to our technical problems, but likely to affect everyone's job one way or another. But virus problems were becoming impossible to deal with, so they moved the date forward for another rollout project, and added a Norton AV procedure.
Let me tell you, even the smoothest Windows rollout project sucks, they are never interesting no matter what. You never learn much, but when times are tight like they have been...
Well, the firm I usually deal with, calls up with this job, and they tell me 5-7 months of steady work. Those in the know, know that this means at best 3-5 months of less than 40 hours per week, but that was figured into my equations. They make it out that this is as simple as it gets, just me and another fellow, to make it last longer, and spread out the cost for the school system (Don't these places have an annual budget?!? Don't ask me...). No problem. Only after awhile, does it become apparent that this guy was only barely competent to begin with.
Well, this tech firm (which will remain nameless, they've sued ex-employees before over such) put the new sales rep on the school. That was bad. When the school says they just want the 2 grunts, and want to use one of their admins for the project manager, he agrees. Doesn't even diplomatically suggest different. He meets with her several times, still doesn't suggest otherwise. She was, unfortunately, a total ditz that apparently passed a CNE bootcamp course a few years back. But if her technical competency was horrible, then her management skills were absolutely abysmal. This had disaster written all over it, right from the beginning.
Well, you remember how I said that it was a rollout already planned? Well, the bulk of it was for some Novell Netware software, zenworks client, a few other things that I never actually learned of. Well, the ditz CNE's boss (also a woman, hate to be sexist but...) was having a power lunch with the VAR who was pushing the nw software. And she signed the deal, I think this was for at least $90,000... only this particular software only works with NT. There was no netware equivalent. 100 grand, gone like that. I don't know what was worse, that she would buy software that she obviously had no clue about, or that there is a VAR out there that sleezy.
I go into the briefing, just the tech firm, no client people there. I ask, time and again, was this tested, was that... "Yes, everything has been tested thoroughly, we expect you to be able to do the installs 20 minutes tops, per station". We start the next week, at City Hall (the admin offices are the top 3 floors). It's a total mess. The dumbass CNE/admin decides that first morning, that she would like us to do an inventory at the same time. Hands us some copies of paperwork, standard SN, asset #, etc. We're talking close to 25,000 machines throughout the school district (though not all are in scope for this rollout, maybe only half that). What does she think, that it means anything on paper? Is she gonna do data entry herself, when we turn these in? Or is she just trying to sabotage us even more?
In the administrative offices, there is a mixture of Win95a/win95b/win98/NT4/win2k. Wide variety of machines, including some new ones being installed by school technicians. The new ones are compaq... but they have no contract with compaq at all. I'm guessing Compaq salespeople somehow knew what a mess it was, and wanted nothing to do with it. We are given nothing at all like real procedure documentation... I could write docs better than this. A single page. 1. The grammar was awful, and it basically said install this software. We ended up discovering for ourselves just what options were needed. In the offices, close to 1 in 3 machines broke badly when installing the software, even after we figured out the correct options. Bloated registries, version dll soup, user installed software, all kinds of different things. We were spending up to 2 hours per machine, and the one week at city hall turns into 3. The sales rep lets us know the client is a little bit upset, and can't understand what the problem is.
Well, we move on to the first school. God, it was horrible, when I was in school, there were 3 Apple IIe's in the science room, for a month (They got switched out to another school in the county after that). In this school, there were no less 14 computer labs, all with 20+ machines. Every other room had at least 1 and sometimes 2 machines. 95% pII +. What did they teach these kids? Well, they taught them to be secretaries and other minimum wage type things. Any number of incredibly cool things to be teaching them, but no, just word processing, maybe spreadsheets (though I could never confirm that one).
We get there, and no one has even heard there will be any work done on the computers. 2 days to straighten that out. We can do work now, but only after 2pm (but the doors lock at 4pm, have to be out by then). Most of the labs lock all the keyboards up, and no one has a key (apparently they get vandalized or stolen). Lose another 3 days there. We get permission from individual teachers to do this, before 2pm. But code red alerts happen at least twice per day. This is when even though the bell rings, and its time for a new class, the kids all have to stay in the current one. The teacher locks the door, and the sherrif and deputies go through the halls grabbing all the dope dealers. Code red's never happen at a set time, so we end up missing a progress meeting with the ditz CNE. That was bad.
Then, most of the lab machines are win95b, but haven't been reinstalled in over 4 years. Registries bloated so badly, that maybe only 15 out of 25 machines in any given lab are usable (and they've been like that for months, since the school techs refuse to support any machine not in the administrative offices). Of the 15, roughly 5 will have one set of win95 lockdown software on them, another 5 will have a different lockdown software, and 2 will have a third lockdown app. The rest have none. No one remembers or ever knew the passwords. When we do manage to disable it, if we can, it takes forever to learn just how to make it behave. But once our software install is complete, the machines become more unstable than anything I have EVER seen before. We end up rendering an entire lab unusable. We call up the ditz, she says if they still boot, proceed. They do boot up (most of the time), so we end up doing every lab in the school. We end up rendering all of them unusable. Complaints fly all over the place.
The sales rep arranges an emergency meeting with the ditz, her boss, and us. Plus another engineer from our firm, whom I question even his competency. We explain everything, including how this could only be expected when absolutely no testing was done beforehand. We explain that win95 is completely unsuitable, but even more so, when it isn't pristine (which is unbelievably generous, these had NEVER been reinstalled) you'll see these sorts of problems. We explain that the lockdown software is part of the problem, but not all of it. So they decide that the other tech will go work on another project, and that I and the engineer will go see if there is any salvaging it. We manage to go back to one of the labs we'd done. 2 hours there were enough to convince him (I winced at first, the first machine he turned on had almost no probelms). Every machine would BSOD. It would do the windows partial freezes, the buzzing mouse, all your favorite win95 problems. Some of the machines died at bootup, conflicts with the lockout software. He agrees that we can't go on as we had.
So, we make a proposal to spend a few weeks building install images and doing testing. We'll install 95 back on them, since that's all there is for licenses, but it will be pristine, each machine will have an identical image build. We'll standardize on one lockdown app, with documented passwords, etc.
Offer rejected. Too much embarrassment, I think that we made it clear that we had a clue, and all along knew how retarded they were. Also had a little bit to do with their strict no reinstall policy (I'm not making that up). Seems that at least 3 other dept's had claims on certain machines/labs, donations and what not. And their was enough inter-departmental rivalry, that IT wouldn't reinstall OS's, mostly because each dept wanted the same apps installed that were on the machines when donated. Which is utterly ridiculous, since M$ office was all that was ever used.
I got 6 week's worth of paychecks out of it. For trashing an entire school's worth of computers. Which, as far as I know, are still not functioning. Not that anyone cares. I do in a way, but have zero control over any of it. Makes me sick that my tax dollars pay for it.
Solution for the original slashdt asker:
Find another job in a non-k12 setting.
Nothing can fix your situation. You may be the only one there qualified to teach anything having to do with computers, and you are not a teacher. The computers are a waste of tax dollars in their current capacity, and are only ever used for the most outrageous abuses. The shit will hit the fan, though maybe not for awhile yet, and you do not want to be there when it does.
Once you have their support, analyze and gather data. Get proof of how much network bandwidth is being consumed by non-educational applications. A good sniffer can do this for you. I'm an old school Mac user. I use Etherpeek for this task. It's cheaper than most other sniffers. You could also see if a peer school could assist you if they have already purchased a sniffer. That would save you some cash up front. Gather the data. Graph the results (suits are usually illiterate so you'll need nice pretty graphs). In your initial report, don't list specific people. K-12 school politics run rampant. If some jackass teacher thinks you're infringing on their "rights", they'll run screaming to their KNEA rep (or whatever it's named in your state). Then you'll lose you suits' support. Keep it personel neutral unless they ask for it. Present to the suits how much this non-educational software is costing the school district in the form of bandwidth and how it's affecting educational uses of the network. Find horror stories of what allowing the students to access porn, warez, and other things like that have cost other schools. Throw in a bit of security preaching too. Show them the effects of lack of security (defaced websites, compromised personal information, grade altering, etc..). Demonstrate a few of the apps for these people. Show them how to find a copy of Photoshop on the 'Net. Then show them how much it costs in a magazine. Toss is a little threatening material about the bastards that threaten to sue you if you don't let them install their auditing software. BSA, IIRC. Show the suits how you can save money by eliminating the non-educational uses of the I1 bandwidth (don't attack local traffic, just 'Net traffic). Emphasize the use of cheaper (read: free) alternatives like Linux for firewalls. Remember, money counts right now. Money, security, etc.. should do the trick. Good luck!
Ask your supervisor to delegate to you the authority needed to set domain policy.
This authority may be pen-and-paper authority to write new regulations that he affixes his name to, or it may be network-level authority in a computer system to edit security policies and permissions on the routers.
Or, do what usually works:
Write what *you* think the ideal proposal for the situation is, and give it to your supervisor saying "I've noticed a problem and I realize you're really busy so it may not have been a priority for you; however, I took an initiative to try to address it. If you find this acceptable, perhaps you could pass it on to someone else?"
You'll get points for initiative at least.
Just install webcams pointing at every single monitor in the building, all displaying on your own console in a dark room behind a one-way mirror. When you spot any pr0n or other undesirable usage, just put on some cool shades and walk up to the luser's box, right in his face. Put on some gloves and snip the PC's power cord with cable cutters while saying "Access Denied" through a portable voice morpher.
Then punch the living shiznit out of the fuckin' unrespectful perv.
-Billco, Fnarg.com
I hate firewalls, proxies, and that crap. They don't really stop anything.. they just funnel it all into 1 port. Instead.. I would suggest per user bandwidth/disk quotas. Also.. like lockers.. the systems are school property, not faculty or student. Thus, I don't think there's any right to privacy. Snoop, spy, sniff till your heart's content. As important as I think privacy is, I don't feel it is a right at school or at work. I feel it is a privaledge that can and often is abused. Legality aside, if you're doing something you don't want other people to know about, it's probably not too smart to do it at work or school. Faculty or students can probably look at the post-it note under your keyboard and violate your privacy just as easily as the administration. If you get caught doing something you shouldn't do, you have noone to blame but yourself.
Of course, I would not outlaw all recreational use. If some kids would like to play a spirited match of BZFlag during their lunch break, so be it. Turn students and faculty onto legal ways to enjoy computers. A policy of, "NO FUN 4 U!" will only succeed in turning teachers and students off of computers. There's tons of free fun crap on the net.
I suggest you ignore all the advice to do something behind everyone's back and then lie about it. If you get caught once in a lie, everyone views you as a liar. This is tactially unsuccessful, quite aside from moral issues.
You really ought to set up a good firewall and Squid proxy server, though. That's just common sense; you don't want people hacking in to the school, and when a whole class hits a web site, you want 1 person to load the cache and 29 people to read the cache (not 30 people pulling down the web page from the site). That will give you a good position if and when you do get the authority to set a policy: instead of saying "Don't do X", you make it very difficult to do X. It's better to make it hard to do the wrong thing, than to try to punish those who do the wrong thing.
You could suggest a really strong firewall, with only specific ports opened, and require a request in writing to open any other ports. Like someone else suggested, you could write up a proposal for what you want, and see if you can get someone above you to say "go ahead and do that".
If your superiors require you to let the teachers continue to run riot, just get a good paper trail going: get your orders from above in writing, document in writing all the time you have to spend running around putting out fires. When it's time for your performance review, pull out the paperwork and say that you have been doing the job they ordered you to do; you don't want them to give you a poor performance rating because you didn't get much else done while you were running around putting out fires.
steveha
lf(1): it's like ls(1) but sorts filenames by extension, tersely